With so many internet attacks out there, I just think it would be convenient (and quicker and wise) if there is a way to automatically harvest the hacked hosts that are used to launch internet attacks/probes. For example a SSH host could install DenyHosts and/or implement hosts.deny. From failed authentication data we can collect all the IP addresses of those hosts, and automatically (or semi-automatically, if that would be better) report to the site admins that their machines have been hacked. Is there any tool or online service like that? This would allow hacked machines to be squashed in a speedy manner.

This would be analogous to spamcop.net for spams. But now there are many more hacks and attempts, it does not make sense to mail site admins manually.

This question came from our site for system and network administrators.

Please clarify. Are looking for an automated way to notify ISPs that a host on one of their IP addresses is compromised or intentionally abusive. And perhaps cause the ISPs to take action? Or are you instead looking for a service that you can participate in to create a blacklist?
–
George BaileyDec 20 '11 at 16:28

OK. I guess you are right. I don't know about security stack exchange before. I am interested in automatically reporting such abuse to ISPs so they can take action (e.g. take down the compromised computer).
–
Wirawan PurwantoJan 13 '12 at 23:11

and then the IP address 129.2.145.XXX gets added to the common blacklist. But it would be pretty trivial to submit fake logs with IP addresses of users you are trying to DoS; preventing legitimate users from logging using ssh to servers that subscribe to this blacklist.

This is slightly different than say reporting to doing a whois on 129.2.145.XXX

to find the abuse contact and say the IP address 129.2.145.XXX appears to run scripts that attempt to break into machines through ssh.

A system administrator can then look into the issue, possibly (a) finding a compromised system under the control of a remote hacker (and then remove the malware; e.g., reinstall the OS), (b) a script kiddie who doesn't know what they are doing trying to break into random sites (and threaten legal action to stop the kid) or (c) nothing after a quick investigation and ignore the false alarm.

There are blacklists of the IP address blocks assigned to countries where this stuff is more rampant (China, Russia, Nigeria, Eastern Europe) and that may never need to login to your server. Personally I'd run whois on all of them to double check, if you were to do this method; and make sure that its ok for your website/ssh server to block all traffic from those countries; and don't worry about the rare event of IP blocks getting reassigned to a different region.

But I just tend lock down number of AllowedUsers in ssh to one, change the ssh port (yes, security by obscurity) to something else under 1023 (so only root could control the port), prevent port scanning with a psad, mitigated automated attacks with fail2ban and using a complicated passphrase (normally through ssh key).

I would like to know what you mean by anomaly and behavior based, and how they are different than what is described by the OP.
–
George BaileyDec 19 '11 at 18:49

2

If I understand correctly, the OP is looking for a blacklist of hosts. These are IPs of hosts known to cause issues. Behavior/anomlaly based methods look at patterns that are indicators of abuse rather than specific items. See windowsecurity.com/articles/…
–
jeffatrackaidDec 19 '11 at 19:07

I asked the OP for clarification. He is not looking for a blacklist as much as he is wanting to notify the ISPs so they can take action.
–
George BaileyJan 13 '12 at 23:38